Re: ISP and DNS port scanning!
> On Tue, Nov 18, 2003 at 10:50:02PM +0000, Antony Gelberg wrote:
> >Looks like a ping (ICMP type 8). Where do you get port scanning from?
> >FWIW, I think that blocking pings via a firewall isn't recommended, but
> >not sure why.
Jon wrote:
> It does not provide any kind of security or protection what-so-ever,
> whilst removing the proper way of other people / you from elsewhere
> determining if your connection is working ok.
--
> Jon Dowland
> http://jon.dowland.name/
What you have all said still does not sync, when I look at the Notes provided
in my log I can see what you mean it is a type 8 icmp code 0. Or whatever you
say that means, but the destination is another DNS server.
This is a line taken from my my log again.
11/18/2003 14:53:24 Firewall default policy: ICMP (W to W/ZW, type:8,
code:0) 66.61.104.72 66.61.118.206 ACCESS BLOCK 14
Ok like I mentioned in my first post if I do a Arin Whois on address
66.61.104.72 it tells me it is a DNS block. When I do a Arin Whois on the
destination 66.61.118.206 it is another DNS block, both happen to belong to
my ISP but in different cities. My cable modem action light is almost always
solid orange, which tells me I have a busy link even if I am not using the
net.
So why am I getting pinged by a DNS server? Why are all the destinations
reported by my router log points to another DNS server?
Even if I forwarded the ping to a DMZ or a safe machine, it would not find the
machine, since I do not have any access to that network block. My Debian
uses DHCP to log into my ISP through my router, my windows machine's use
static IP's setup to log into my router.
My router is a Zyxel ZyWall 2xw with 802.11b for wireless clients. I do not
run any web, ftp, servers, and at the moment I do not have any ports
forwarded to any machine. Its like a default setup with a hardware firewall
and no ports open to the outside world. All passwords are changed, and wep
is changed at a reasonable time frame. Everything works great, except I keep
getting those recorded in my log.
I could understand if the destination was my router, or a machine under the
subnet but it is not. Also the source machines seem to change unlike the
destination machine.
That is the reason I wanted to ask all of you, I really do not know why this
is happening.
Rthoreau
Reply to: